Invalidating Password Reset Links After Password Change

Overview

When a user requests a password reset via the login page, they may receive an email containing a reset link. If the user chooses to log in through the standard method instead of using the reset link and subsequently updates their password on an internal page, it may be necessary to invalidate the original reset link to prevent unauthorized access.

Steps to Replicate the Scenario:

  • User requests a password reset on the login page
  • User receives an email with a reset link but does not utilize it
  • User logs in using their existing credentials
  • User updates their password through an internal interface (a PATCH call on the user profile)
  • The goal is to ensure that the previously generated password reset link is no longer valid

Applies To

  • Auth0 Management API
  • User password management
  • Password reset functionality

Cause

The original password reset link remains valid until explicitly invalidated. If a user updates their password without using the provided reset link, someone with access to the original email could still use the existing link, leading to potential security risks.

Solution

To effectively invalidate all existing password reset links after a password change, utilize the Password Change Ticket feature provided by Auth0.

Generate a Password Change Ticket:

  • Use the Auth0 Management API to generate a password change ticket without sharing it with the user.
  • Endpoint: POST /api/v2/tickets/password-change
  • This action creates a new password ticket invalidating the previously generated reset link.

Impact on User Flow:

  • Generating the new password change ticket will not impact the user experience. The user will continue to operate normally, and there will be no disruption in their flow.